Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intro to Mobile Device Testing

Published byEaster Booth Modified over 6 years ago

Similar presentations

Presentation on theme: "Intro to Mobile Device Testing"— Presentation transcript:

1 Intro to Mobile Device Testing

2 $whoami Damian Profancik Senior Security Consultant
NCC Group (formerly iSEC Partners) @integrisec

3 North America Europe Australia Atlanta Austin Chicago New York
San Francisco Seattle Sunnyvale Europe Manchester - Head Office Amsterdam Cheltenham Copenhagen Edinburgh Glasgow Leatherhead London Luxembourg Milton Keynes Munich Zurich Australia Sydney

4 Agenda What? Why? Attack Surface How?

5 What? iOS (iPhone/iPad) Android (Phones/Tablets) Windows Phone

6 Why? Ubiquitous Critical data Authentication

7 Attack Surface Web Server APIs Network Traffic Data on Device
Data in Logs Data in Memory Application Source Code

8 How?

9 Jailbreak/Root Breaks app sandbox Access file system Allows SSH
Allows debugging Disable protections (SSL pinning, JB/Root detection)

10 Bypass Jailbreak/Root Detection
iOS tsProtector P Snoop-it Xcon Android RootCloak

11 Tools (APIs/Network) Proxy Burp OWASP ZAP Fiddler

12 Proxying Traffic Set proxy to listen on all interfaces

13 Proxying Traffic Download proxy CA certificate

14 Proxying Traffic Install CA certificate on device

15 Proxying Traffic Redirect traffic to proxy with Wifi Settings

16 Proxying Traffic Redirect traffic to proxy with VPN
Windows: PPTP VPN – Routing and Remote Access Mac: VPNActivator

17 Proxying Traffic Redirect traffic to proxy with VPN

18 Bypass Certificate Pinning
iOS SSL Kill Switch Snoop-it Android Android-SSL-TrustKiller

19 Attack Web Server APIs OWASP Top 10 (SQLi, XSS, XXE, etc.)
Session Management Authentication/Authorization Logic Flaws Information Leaks

20 Analyze Network Traffic and Transport
Sensitive Information in URLs HTTP SSL v2/v3 Invalid Certificates Weak Ciphers Insecure Renegotiation

21 Tools (Device Data/Logs)
iOS SSH/SCP iFunbox iFile SQLite Reader Xcode (Plist) Keychain-Dumper Snoop-it class-dump-z gdb Android SSH/SCP SQLite Reader Android Studio keytool XML files adb

22 Tools (iFunbox)

23 Tools (Snoop-it)

24 Tools (iOS Logs – Xcode)

25 Tools (Android – Android Studio)

26 Tools (Device Memory) iOS Android gdb adb Android Monitor Heap Dump
Allocation Tracker

27 What To Look For Credentials Encryption Keys Cookies Payment Cards
Personally Identifiable Information Screenshots Session Tokens Cached Data

28 Attacking the App SQLite Injection Device XSS
WebViews/JavaScript Bridge

29 Source Code Analysis Android iOS dex2jar apktool JAD Android Studio
gdb Xcode

30 Q/A

31 Resources OWASP Mobile Top _Top_Ten_Mobile_Risks iOS Testing Cheatsheet - Android Testing Cheatsheet -

32 Resources Network Android
SSLyze - Burp Suite - Android Android Studio - Android-SSL-TrustKiller - dex2jar - Apktool - JAD -

33 Resources iOS Xcode - https://developer.apple.com/xcode/download/
SSL Kill Switch - iFunbox - snoop-it - class-dump-z - Keychain-Dumper -

34 $whoami Damian Profancik Senior Security Consultant
NCC Group (formerly iSEC Partners) @integrisec

Download ppt "Intro to Mobile Device Testing"

Similar presentations

Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
The Mobile Threat Landscape

The Mobile Threat Landscape
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
Kevin Stadmeyer Garrett Held COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Hacking (and Defending) iPhone Applications.

Kevin Stadmeyer Garrett Held COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Hacking (and Defending) iPhone Applications.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Man-In-The-Front Ray Kelly.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Man-In-The-Front Ray Kelly.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6 Ways to Build an Insecure.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6 Ways to Build an Insecure.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security issues for mobile devices Cvetko Andreeski.

Security issues for mobile devices Cvetko Andreeski.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.

Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
FORESEC Academy FORESEC Academy Security Essentials (II)

FORESEC Academy FORESEC Academy Security Essentials (II)
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

Similar presentations

Ads by Google